try this:
| makeresults
| eval raw="issues: [
{
changelog: {
histories: [
{
author: ABC
created: 123
}
{
author: XYZ
created: 456
}
]
}
fields: {
project: test1
}
id: 1
}
{
changelog: {
histories: [
{
author: ABC
created: 1234
}
{
author: XYZ4
created: 456
}
]
}
fields: {
project: test1
}
id : 2
}
{
changelog: {
histories: [
{
author: ABC2
created: 1232
}
{
author: XYZ2
created: 4562
}
]
}
fields: {
project: test12
}
id: 3
}
]"
| eval raw=split(raw,"id")
| mvexpand raw
|rex field=raw "author:(?<author>.*)" max_match=0
| rex field=raw "created:(?<created>.*)" max_match=0
|eval x=mvzip(author,created)
| rex field=raw "project:(?<project>.*)" max_match=0
| fields - _time
| fields project,x
| mvexpand x
| rex field=x "(?<author>.*?)," max_match=0| rex field=x ",(?<created>.*)" max_match=0
| fields project,author,created
... View more